Via Takes the Network to the Cloud with Zero-Trust
Proofpoint Meta secures users and simplifies management
Based in New York, Via’s ride-sharing platform is changing the way people get around cities. Via is smart, planet-friendly, on-demand transit on a mass scale. The growing company operates in New York, Chicago, Washington DC, London, Berlin and Amsterdam. Via licenses its technology to companies building transit systems in major cities worldwide.
A cloud-native company, Via’s goal was to establish a secure, zero-trust network for users and partners.
Via has a distributed workforce, with over 400 employees and contractors. Instead of a site-based WAN, Via’s technology team provided users with direct access to cloud resources using OpenVPN. Their vision was a zero-trust, user-centric network security architecture that would be enforced consistently, no matter where users worked. Via’s partners are transportation operators based in different countries and cities who also required controlled access to portions of Via’s platform to manage rideshares.
Providing secure access presented several challenges:
- Segmenting and securing access: Each user role required access to a subset of Via’s cloud applications. Managing network segments and access rules created potential risk and operational overhead.
- Complex onboarding: Via’s team had to help partners configure and troubleshoot OpenVPN. This wasn’t sustainable because they didn’t manage the devices. Onboarding new customers often took weeks.
Via’s ideal solution would provide granular, zero-trust security and scalability. They preferred a managed service so they would be certain that their security was in expert hands, while they focused on expanding their business.
“With Proofpoint Meta, we are centrally managing a zero-trust network that covers all our applications and data and our employees, contractors and customers.”
- Amir Mehler, Cross-tech TL
Via’s team deployed Proofpoint Meta remote access as the secure platform for managing access to their cloud infrastructure.
Always-on user experience for employees
Via employees with managed devices connect using the Meta client, which replaced OpenVPN. They are authenticated via Okta and a certificate. Once they connect, they continue to work normally, using any type of desktop or web-based application, and all traffic is protected.
Browser-based user experience for customers
Via contractors and customers use MetaConnect, a browser-based access solution. It requires no installation or setup, so it’s optimal for devices that Via doesn’t manage.
Identity-based access policies
In minutes, Via’s administrators onboard new users and assign granular access policies depending on their role—for example, the production environment, the development environment, analytic stores and others. The platform is fully integrated with Okta.
Users are protected by a software-defined perimeter. Once they connect, they can see only the applications and network resources that policy allows. Everything else is invisible. All access is monitored and logged.
In addition to user access, Via used Meta to connect their many cloud deployments to each other—replacing the site-to-site VPN and enabling convenient, central management of all their networking.
Via employees access network resources located in different AWS regions as well as customer sites in specific subnets. Access is set by policy.
MetaConnect for Via contractors and partners
Via partners and contractors access dedicated Via web services in different AWS regions, using a clientless, browser-based solution.
Via’s network is now protected by a software-defined perimeter per user that is dynamically enforced, verified and logged. Policies effectively restrict access for employees, customers and contractors to exactly what is required.
Rapid customer onboarding
New customers and their users can be onboarded within minutes. Administrators import a new user into the administrative console, add him/her to a policy group and then send the user a link to the MetaConnect portal.
Efficient, simplified cloud network management
Instead of spending time on firewall configurations to microsegment networks in Amazon, administrators can onboard an AWS VPC or region in minutes. Such tasks are fully automated using the Meta API and are an integrated part of DevOps.